Hi All,
I have been struggling with this for a few days now. My requirement are:
1. Certificate based encryption between Zabbix server (5.0 LTS) and agent (5.0).
2. As we have hundreds of systems, I want to register the agents automatically.
On the server side:
autoregistration from "<agent_IP>" denied (host:"agent hostname>" ip:"agent_hostname" port:10050): connection type "TLS with certificate" is not allowed for autoregistration
> To try a different approach, I decided to create a 'Discovery' rule which scans zabbix_agents and then "add" them using discovery rules (Configuration > Actions > Discovery).
However, after adding the discovery rule on the server, I started seeing following error on the agent side.
failed to accept an incoming connection: from <zabbix server ip>: unencrypted connections are not allowed
To work around that, I had to allow unecrypted connection by making following change in agent configuration "TLSAccept=cert,unencrypted"
Once the host appears on the server I have to manually enable encryption on the host.
My questions are:
1. Is it safe to enable TLSAccept=unencrypted to allow discovery process to find the host?
2. When we add the "discovered" hosts to group/template etc. using Discovery rule, is it also possible to assign encryption type (cert) and provide issuer/subject automatically?
Thanks you,
J
I have been struggling with this for a few days now. My requirement are:
1. Certificate based encryption between Zabbix server (5.0 LTS) and agent (5.0).
2. As we have hundreds of systems, I want to register the agents automatically.
On the server side:
- I configured TLS settings (TLSCAFile, TLSCertFile, TLSKeyFile)
- Created a an Autoregistration Action (Configuration > Action > Autoregistration actions) to add any system with metadata=Linux to appropriate group and link correct templates.
- Configured below settings
- TLSConnect=cert
- TLSAccept=cert
- TLSCAFile, TLSCertFile, TLSKeyFile pointing to appropriate files
- TLSServerCertIssuer, TLSServerCertSubject correct values of issuer and subject of the servers' cert
autoregistration from "<agent_IP>" denied (host:"agent hostname>" ip:"agent_hostname" port:10050): connection type "TLS with certificate" is not allowed for autoregistration
> To try a different approach, I decided to create a 'Discovery' rule which scans zabbix_agents and then "add" them using discovery rules (Configuration > Actions > Discovery).
However, after adding the discovery rule on the server, I started seeing following error on the agent side.
failed to accept an incoming connection: from <zabbix server ip>: unencrypted connections are not allowed
To work around that, I had to allow unecrypted connection by making following change in agent configuration "TLSAccept=cert,unencrypted"
Once the host appears on the server I have to manually enable encryption on the host.
My questions are:
1. Is it safe to enable TLSAccept=unencrypted to allow discovery process to find the host?
2. When we add the "discovered" hosts to group/template etc. using Discovery rule, is it also possible to assign encryption type (cert) and provide issuer/subject automatically?
Thanks you,
J
Comment